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Abstract. We consider a general notion of timed automata with input- 
determined guards and show that they admit a robust logical framework 
along the lines of 6 , in terms of a monadic second order logic charac- 
terisation and an expressively complete timed temporal logic. We then 
generalise these automata using the notion of recursive operators intro- 
duced by Henzinger, Raskin, and Schobbens 0, and show that they 
admit a similar logical framework. These results hold in the "pointwise" 
semantics. We finally use this framework to show that the real-time logic 
MITL of Alur et al |5| is expressively complete with respect to an MSO 
corresponding to an appropriate input-determined operator. 
Keywords: timed automata, monadic second-order logic, real-time tem- 
poral logics 



1 Introduction 

The timed automata of Alur and Dill are a popular model for describing timed 
behaviours. While these automata have the plus point of being very expressive 
and having a decidable emptiness problem, they are neither determinisable nor 
closed under complementation. This is a drawback from a couple of points of 
view. Firstly, one cannot carry out model checking in the framework where a 
system is modelled as a timed transition system T and a specification of timed 
behaviours as a timed automaton A, and where one asks "is L{T) C L{A)T\ 
This would normally involve complementing A and then checking if its inter- 
section with T is non-empty. One can get around this problem to some extent 
by using determinisable specifications, or specifying directly the negation of the 
required property. A second reason why lack of closure properties may concern 
us is that it precludes the existence of an unrestricted logical characterisation of 
the class of languages accepted by timed automata. The existence of a monadic 
second order logic (MSO) characterisation of a class of languages is a strong en- 
dorsement of the "regularity" of the class. It also helps in identifying expressively 
complete temporal logics, which are natural to use as specification languages and 
have relatively efficient model checking algorithms. 



The event clock automata of 3 was one of the first steps towards identifying 
a subclass of timed automata with the required closure properties. They were 
shown to be determinisable in 3 , and later to admit a robust logical framework 
in terms of an MSO characterisation and an expressively complete timed tempo- 
ral logic |B] . Similar results were shown in jJJ] , [5] and |7j . A common technique 
used in all these results was the idea of "implicit" clocks, whose values are de- 
termined solely by the timed word being read. For example the event recording 
clock Xa records the time since the last a action w.r.t. the current position in a 
timed word, and is thus implicitly reset with each a action. The truth of a guard 
over these clocks at a point in a timed word is thus completely determined by 
the word itself, unlike in a timed automaton where the value of a clock depends 
on the path taken in the automaton. 

In this paper we generalise the notion of an implicit clock to that of an input 
determined operator. An input determined operator A identifies for a given timed 
word and position in it, a set of intervals in which it is "satisfied". The guard 
I & A IS then satisfied at a point in a timed word if the set of intervals identified 
by A contains /. For example, the event recording clock Xa can be modelled as 
an input determined operator <la which identifies at a given point in a timed 
word, the (infinite) set of intervals containing the distance to the last a action. 
The guard {xa G /) now translates to (/ GOa). As an example to show that this 
framework is more general than implicit clocks, consider the input determined 
operator Oq inspired by the Metric Temporal logic (MTL) of |11I4| . This operator 
identifies the set of all intervals I for which there is a future occurrence of an o 
at a distance which lies in I. The guard / £ is now true iff there is a future 
occurrence of an a action, at a distance which lies in /. 

Timed automata which use guards based on a set of input determined op- 
erators are what we call input determined automata. We show that input de- 
termined automata form a robust class of timed languages, in that they are 
(a) determinisable, (b) effectively closed under boolean operations, (c) admit 
a logical characterisation via an unrestricted MSO, and (d) identify a natural 
expressively complete timed temporal logic. 

We then go over to a more expressive framework using the idea of recursive 
event clocks from 0. In the recursive version of our input determined operator, 
the operators now expect a third parameter (apart from the timed word and a 
position in it) which identifies a set of positions in the timed word. This argu- 
ment could be (recursively) another input determined automaton, or as is better 
illustrated, a temporal logic formula 9. The formula 9 naturally identifies a set 
of positions in a timed word where the formula is satisfied. Thus a recursive op- 
erator A along with the formula 9, written Ag, behaves like an input determined 
operator above, and the guard / g Ag is true iff the set of intervals identified 
by Ag contains /. These recursive input determined automata are also shown to 
admit similar robust logical properties above. 

We should be careful to point out here that, firstly, these results hold in the 
pointwise semantics, where formulas are evaluated only at the "action points" in 
a timed word (used e.g. in 5El)i and not at arbitrary points in between actions 



in a timed word as allowed in the continuous semantics of |2I9| . Secondly, we 
make no claims about the existence of decision procedures for these automata 
and logics. In fact it can be seen the operator Oa above takes us out of the class 
of timed automata as we can define the language of timed sequences of a's in 
which no two a's are a distance 1 apart, with a single state input determined 
automaton which has the guard g O^). Similar versions can be seen 

to have undecidable emptiness problems and correspondingly undecidable logics 
U . Thus the contribution of this paper should be seen more in terms of a general 
framework for displaying logical characterisations of timed automata, and prov- 
ing expressive completeness of temporal logics related to these automata. Many 
of the results along these lines from |7I6| and some in the pointwise semantics 
from follow from the results in this paper. 

As a new application of this framework, we provide an expressive complete- 
ness result for MITL in the pointwise semantics, by showing that it is expressively 
equivalent to the first order fragment of an MSO based on recursive operators. 
This answers an open question from |13|. apart from identifying an interesting 
class of timed automata. 

The techniques used in this paper essentially build on those from 7^ and 
which use the notion of proper symbolic alphabets and factor through the 
results of Biichi [3| and Kamp 10 . The idea of using recursive operators comes 
from who show a variety of expressiveness results, including an expressive 
completeness for MITL in the continuous semantics. Their result for MITL is 
more interesting in that it uses event-clock modalities, while we use essentially 
the same modalities as MITL. However, our MSO is more natural as unlike the 
MSO in l2j it has unrestricted second order quantification. 

2 Input determined automata 

We use N to denote the set of natural numbers {0, 1, . . .}, and R-*^ and Q-*^ to 
denote the set of non-negative reals and rationals respectively. The set of finite 
and infinite words over an alphabet A will be denoted by A* and A'^ respectively. 
We use the notation X ^ Y to denote the set of functions from X to Y. 

An (infinite) timed word over an alphabet S is an element a of {E x M-")" 
satisfying the following conditions. Let cr = (ag, to){ai, ti) ■ ■ ■. Then: 

1. (monotonicity) for each i d N, ti < ii+i, 

2. (progressiveness) for each t G R-*^ there exists i G N such that ti > t. 

Let TS'^ denote the set of infinite timed words over S. Where convenient, we 
will use the representation of a as (a, r) where a G S'^ and t : N ^ R-° is a 
time sequence satisfying the conditions above. 

We will use rational bounded intervals to specify timing constraints. These 
intervals can be open or closed, and we allow oo as an open right end. These 
intervals denote a subset of reals in the usual manner - for example [2,oo) 
denotes the set {t G \ 2 <t}. The set of all such intervals is denoted Jq. 



Our input determined automata will use guards of the form "/ G A" , where 
I is an interval and A is an operator which determines for a given timed word 
a and a position i in it, a set of intervals "satisfying" it at that point. We then 
say that a at position i satisfies the guard "/ G A" if / belongs to the set of 
intervals identified by A. By a "position" in the timed word we mean one of the 
"action points" or instants given by the time-stamp sequence, and use natural 
numbers i (instead of the time T(i)) to denote these positions. More formally, 
an input determined operator A (w.r.t. the alphabet S) has a semantic function 
lAj : { TE^ X N) -> 2^<3. The guard / e Z\ is satisfied at position i in cr e TZ"" 
mi^lA\{a,i). 

The transitions of our input determined automata are labelled by symbolic 
actions of the form {a,g) where a is an action, and t/ is a guard which is a 
boolean combination of atomic guards of the form I € A. The set of guards over 
a finite set of input determined operators Op is denoted by Q{Op) and given by 
the syntax g ::= T\I(zA\^g\g\/g\gAg. The satisfaction of a guard g in 
a timed word a at position i, written cr, i \= g, is given in the expected way: we 
have a,i \= T always, cr, i |= / G Zi as above, and the boolean operators V, 
and A interpreted as usual. 

A symbolic alphabet F based on {S, Op) is a finite subset of Z' x Q{Op). 
An infinite word 7 in specifies in a natural way a subset of timed words 
twij) defined as follows. Let 7(1) = {ai,gi) for each i G N. Let a G TS'^ with 
a{i) — {bi,ti) for each j G N. Then a G tw{'y) iff for each i ^ N, bi — ai 
and (T, j \= gi- We extend the map tw to work on subsets of F'^ in the natural 
way. Thus, for L C F", we define tw{L) = U^^Z tw{'-f). Finally, we denote the 
vocabulary of intervals mentioned in F by ivoc{F). 

Recall that a Biichi automaton over an alphabet A is a structure A — 
{Q, s, — >, F) where Q is a finite set of states, s G Q is an initial state, — >C 
Q X A X Q is the transition relation, and F C Q is a set of accepting states. 
Let a G A'^ . A run of A over a is a map p : N Q which satisfies: p{0) = s 

and p(i) p{i + 1) for every i G N. We say p is an accepting run of A on a 
if p{i) G F for infinitely many i G N. The set of words accepted by A, denoted 
here as Lsym{A) (for the "symbohc" language accepted by A)^ is defined to be 
the set of words in A'^ on which A has an accepting run. 

We are now in a position to define an input determined automaton. An 
input determined automaton (IDA for short) over an alphabet S and a set of 
operators Op, is simply a Biichi automaton over a symbolic alphabet based on 
(17, Op). Viewed as a Biichi automaton over a symbolic alphabet F, an input 
determined automaton A accepts the language Lsym{A) C F"^ which we call 
the symbolic language accepted by A. However, we will be more interested in 
the timed language accepted by A: this is denoted L{A) and is defined to be 

tw{Lsym{A)). 

To give a concrete illustration of input determined automata, we show how 
the event clock automata of [S] can be realized in the above framework. Take 
Op to be the set of operators {<a, >a | a G Z}, where the operators <\a and 
Oa essentially record the time since the last a action, and the time to the next 



a action. The operator <\a (and similarly Oa) can be defined here by setting 
[<lal(CT,i) to be 

{/ e 2q I 3j < i : a{j) = a, r(i) - r(j) £ /, andVfc : j < k < i, a{k) ^ a}. 

As another example which we will use later in the paper, consider the operator 
Oa related to MTL |lll4j . The guard Oa £ / is meant to be true in a word a 
at time i iff there is a future instant j labelled a and the distance to it lies in 
I - i.e. t(j) — T(i) £ /. The guard ^ a ^ I makes a similar assertion about the 
past of cr w.r.t. the current position. An input determined automaton based on 
these operators can be defined by taking Op = {Oa,Oa | a G E}, and where, 
for example, [Oa](cr, «) = {/ | 3j > i : — a, and T(j) — T{i) e /}. 

We now want to show that the class of timed languages accepted by input 
determined automata (for a given choice of S and Op) is closed under boolean 
operations. The notion of a proper symbolic alphabet will play an important role 
here and subsequently. A proper symbolic alphabet based on (^7, Op) is of the 
form r = E X {Op —> 2-^) where X is a finite subset of Xq. An element of F is thus 
of the form {a,h), where the set of intervals specified by h{A) is interpreted as the 
exact subset of intervals in ivoc{r) which are satisfied by A. This is formalised 
in the following definition of twr for a proper symbolic alphabet F. Let 7 G F'^ 
with 7(t) = {ai,hi). Let a £ TZ"^ with a{i) = {bi,ti). Then a £ twril) iff for 
each J £ N: 6i = fli and for each A £ Op, hi{A) — \A\{(j, i) n ivoc{F). 

Let F be a proper symbolic alphabet based on (Z', Op). Then a Biichi au- 
tomaton A over F , which we call a proper IDA over {S, Op), determines a timed 
language over S given by tw r{Lsym{A)). 

The class of timed languages defined by IDA's and proper IDA's over {S, Op) 
coincide. An IDA over a symbolic alphabet F can be converted to an equivalent 
one (in terms of the timed language they define) over a proper symbolic alphabet 
F' = Sx{Op ^ 2™°'=(^)). Firstly, each transition label (a,g) in F can be written 
in a disjunctive normal form (ci A • • • A Cfc), with each Ci being a conjunction of 
literals / £ Z\ or -i(/ £ A). Thus each transition labelled {a,g) can be replaced 
by a set of transitions labelled (a, Ci), one for each i. Now each transition labelled 
(a, c), with c a conjunct guard, can be replaced by a set of transitions (a, h), one 
for each h "consistent" with c: i.e. h should satisfy the condition that if / £ Z\ is 
one of the conjuncts in c then / £ h{A), and if -i(J £ A) is one of the conjuncts 
in c then / ^ h{A). In the other direction, to go from a proper IDA to an IDA, 
a label (a, h) of a proper symbolic alphabet can be replaced by the guard 

f\{ f\ {leA) ^ f\ ^(leA)). 

AeOp leh(A) l£ivoc{r)-h(A) 

The following property of proper symbolic alphabets will play a crucial role. 

Lemma 1. Let F be a proper symbolic alphabet based on U. Then for any a £ 
TU'^ there is a unique symbolic word 7 in F^ such that a ^ twp (7) • 

Proof. Let a{i) = {ai,ti). Then the only possible symbolic word 7 we can use 
must be given by 7(1) = {ai,hi), where hi{A) = |zi](CT, i) n ivoc{F). □ 



In the light of lemma ^ going from a symbolic alphabet to a proper one 
can be viewed as a step towards determinising the automaton with respect to 
its timed language. From here one can simply use classical automata theoretic 
techniques to determinise the automaton w.r.t. its symbolic language. (Of course, 
since we deal with infinite words we will need to go from a Biichi to a MuUer or 
Rabin acceptance condition [ISp. 

Theorem 1. The class of IDA's over [S, Op) are effectively closed under the 
boolean operations of union, intersection, and complement. 

Proof. It is sufficient to address union and complementation. Given automata A 
and B over symbolic alphabets F and A respectively, we can simply construct an 
automaton over F U A which accepts the union of the two symbolic languages. 
For complementing the timed language of A, we can go over to an equivalent 
proper IDA A' over a proper symbolic alphabet F' , and now simply complement 
the symbolic language accepted by A' to get an automaton C. It is easy to 
verify, using the uniqueness property of proper alphabets given in Lemma ^ 
that L{C) = ri7" — L{A'). In the constructions above we have made use of the 
closure properties of w-regular languages ^H] . □ 



3 A logical characterisation of IDA's 



We now show that input determined automata admit a natural characterisation 
via a timed MSO in the spirit of ^5^. Recall that for an alphabet A, Biichi's 
monadic second order logic (denoted here by MSO(A)) is given as follows: 

if ::= Qa{x) \ X e X \ X < y \ ^ip \ {(p\J if) \ 3xip \ 3Xip. 

The logic is interpreted over a word a G A^ , along with an interpretation I 
which assigns individual variables x a position in a (i.e. an i S N), and to set 
variables X a set of positions S" C N. The relation < is interpreted as the usual 
ordering of natural numbers, and the predicate Qa (one for each a e A) as the 
set of positions in a labelled a. 

The formal semantics of the logic is given below. For an interpretation I 
we use the notation I[i/a;] to denote the interpretation which sends x to i and 
agrees with I on all other variables. Similarly, I[S'/X] denotes the modification 
of I which maps the set variable X to a subset S of N. Later we will also use 
the notation [i/x\ to denote the interpretation with sends x to i when the rest 
of the interpretation is irrelevant. 



a, I h Qa{x) iff a{l{x)) = a. 

a, I 1= a; e X iff I(a;) G 1{X). 

aj^x <y iff l{x) < l{y). 

a,I \= 3x(p iff there exists i e N such that cr, \= (p. 

a, I 1= 3X(p iff there exists S" C N such that a, l[S/X] |= (p. 



For a sentence (p (i.e. a formula without free variables) in MS0(v4) we set 
L{(f) = {o- G I (T 1= ip}. Biichi's result then states that a language L C is 
accepted by a Biichi automaton over A\E L — L{(p) for a sentence (p in MSO(^). 

We define a timed MSO called TMSO(Z', Op), parameterised by the alphabet 
S and set of input determined operators Op, whose syntax is given by: 

P ■■= Qa{x) I / G ^(2;) \ x^X\x<y \ -193 I {py p) I 3xp I 3Xp. 

In the predicate "/ G Z\(x)", / is an interval in Iq, A G Op, and a; is a variable. 

The logic is interpreted in a similar manner to MSO, except that models are 
now timed words over S. In particular, for a timed word cr = (a,T), we have: 



Given a sentence p in TMSO(Z') we define L{p) ^ {a € TS"^ | cr |= v^}. 

Theorem 2. A timed language L C TS'^ is accepted by an input determined 
automaton over (S, Op) iff L — L{p) for some sentence p in TMS0(I7, Op). 

Proof. Given an IDA A over [S, Op) we can give a TMSO sentence p which 
describes the existence of an accepting run of on a timed word. Following |15| . 
for A = {Q, qo, — », F) with Q = {qq, . . . qn}, we can take p to be the sentence 

• ■ • 3X„ ( G A /\yxix eX, ^ -n{x G Xj)) 
{*) AWx y (x e X, A {x + l)eXj hQa{x)Ag') 

(a, 9) 

9i — >qj 

A \J \lx3y{x <yAye Xi)). 

Here g' denotes the formula obtained by replacing each / G Z\ in 5 by / G ^(2^)- 
Further, "0 G ^o" abbreviates \/x {zero{x) a; G Xq) where zero{x) in turn 
stands for ->3y{y < x). Similarly x + 1 Xj can be expressed via yy{succx{y) 
y G Xj), where succx{y) is the formula x < y A -i3z{x < z A z < y). 

In the converse direction we take the route used in jBj as it will be useful in 
the sequel. Let phe a, formula in TMSO(^, Op), and let T be a proper symbolic 
alphabet with the same interval vocabulary as p>. We give a way of translating 
(p to a formula t-s{p) in MSO(r') in such a way that the timed languages are 
preserved. The translation t-s is done with respect to F and simply replaces each 
occurrence of 

Qa{x) by \J Q{b,h){x) and I e A{x) by \J Q{a,h){x)- 



a,l^Qa{x) iff a(I(a;)) = a 
a,I[=I e A{x) iff J G [Z\l(a,I(x)). 



{b,h)er, b=a 



(a,h)er, leh(A) 



The translation preserves the timed models of a formula (p in the following sense: 



Lemma 2. Let a € TE^ , 7 G , and a G twri'y)- ^ interpretation 
for variables. Then ct, I ^ ijff 7, 1 |= t-s(if). □ 

The lemma is easy to prove using induction on the structure of the formula ip 
and making use of the properties of proper symbolic alphabets. From the lemma 
it immediately follows now that for a sentence if in TMS0(i7, Op), we have 
L{lp) — twr{L{t-s{(p))), and this is the sense in which the translation preserves 
timed languages. 

We can now argue the converse direction of Theorem [21 using this translation 
and factoring through Biichi's theorem. Let ip he a. sentence in TMSO(Z', Op) 
and let Ip = t-s{ip). Then by Biichi's theorem we have an automaton A over 
r which recognises exactly L{(p). Thus A is our required proper IDA since 
L{A) = twr{Lsy,n{A)) = twr{L[(p)) = L{ip). □ 



4 An expressively complete timed LTL 

In this section we identify a natural, expressively complete, timed temporal logic 
based on input determined operators. The logic is denoted TLTL(Z', Op), pa- 
rameterised by the alphabet S and set of input determined operators Op. The 
formulas of TLTL(Z', Op) are given by: 

9::= a\I eA\(Z)e\0e\ {0U9) \ {936) \ -^9 \ {9 V 9). 

Here we require a € S, I e Iq, and A G Op. The models for TLTL(Z', Op) 
formulas are timed words over U. Let cr G TS'^ , with a — {a, t), and let i G N. 
Then the satisfaction relation f7,i \= \s given by 





i a 


iff 


a{i) — a 




cr, 


i^IcA 


iff 


IelA\{a,i) 




cr. 


i h &9 


iff 


a,i + l^9 




cr. 


i h 09 


iff 


i > {) and cr, i — 1 ^9 




cr. 


i ^ 9Ur^ 


iff 


3k > i : a,k \^ rj and Vj : 


i <j < k, a,j \= 


cr. 


i h eSr^ 


iff 


3k < i : a,k \^ rj and Vj : 


k < j <i, cr,j \= 



We define L{9) = {ct G TS"^ \cr,0\= ^p}. 

Let us denote by TFO(Z', Op) the first-order fragment of TMSO(Z', Op) (i.e. 
the fragment we get by disallowing quantification over set variables). The logics 
TLTL and TFO are expressively equivalent in the following sense: 

Theorem 3. A timed language L C TS'^ is definable by a TLTL(Z', Op) for- 
mula 9 iff it is definable by a sentence ip in TFO(Z', Op). 

Proof. Given a TLTL(Z', Op) formula 6 we can associate an TFO(Z', Op) formula 
(p which has a single free variable x, and satisfies the property that a,i ^ 6* iff 
(7, [i/x] \= (p. This can be done in a straightforward inductive manner as follows. 
For the atomic formulas a and / G Z\ we can take (p to be Qa{x) and I £ A{x) 



respectively. In the inductive step, assuming we have ah'eady translated and 77 
into if and respectively, we can translate OUr] into 

3y(a; < y A ip[y/x\ A \/z{{x < z A z < y) ^ ip[z/x])). 

Here V'iy/a^] denotes the standard renaming of the free variable a; to y in ip. The 
remaining modalities are handled in a similar way, and we can verify that if ip 
is the above translation of 6 then cr, i ^ 6* iff cr, [i/x] Lp. It also follows that 
(7,0 satisfies iff ct satisfies the sentence (po given by yx{zero{x) p). Hence 
we have that L{6) — L{ipo). 

In the converse direction a more transparent proof is obtained by factoring 
through Kamp's result for classical LTL. Recall that the syntax of LTL(A) is 
given by: 

0::= a\0e\0e\ [euo) I [eso) \^e\{eye) 

where a G A. The semantics is given in a similar manner to TLTL, except that 
models are words in . In particular the satisfaction relation a,i \= for the 
atomic formula a is given by: a,i |= a iff a{i) = a. Let FO(^) denote the first- 
order fragment of MSO(A). Then the result due to Kamp [TO] states that: 

Theorem 4 ( jlOp . LTL (A) is expressively equivalent to FO(A). □ 

Consider now a proper symbolic alphabet 7^ based on {S , Op). We can define 
a timed language preserving translation of an LTL(_r) formula to a formula 
s-t(9) in TLTL(Z', Op). In the translation s-t we replace subformulas (a, /i) by 

aA /\ ( /\ (/eZi) A f\ ^(leA)). 

AeOp leh(A) Ieivoc(r)-h{A) 

It is easy to argue along the lines of Lemma ^ that 

Lemma 3. Let a e TZ"^ and 7 e T'^ with a G twr{"f). Then a,i \= s-t(6) iff 
7, i ^ □ 

Hence we have L{s-t{6)) — twr[L{9)). 

We can now translate a sentence ip in TFO(Z', Op) to an equivalent TLTL(Z', Op) 
formula as follows. Let F be the proper symbolic alphabet based on (Z", Op) 
with the same interval vocabulary as tf. Let (p be the YO{r) formula t-s{(p). Note 
that the translation s-t preserves first-orderness and hence ip belongs to FO{r). 
Now by Theorem^] we have a formula 9 in LTL(J^) which is equivalent to ip. We 
now use the translation t-s on the formula 9 to get a TLTL(i7, Op) formula 9. 
6 is our required TLTL(i7, Op) formula. Observe that firstly L{9) = twr{L{9)) 
by the property of the translation s-t. Next, by Kamp's theorem we have that 
L{9) — L{(p) and hence twr{L{9)) = twr{L{(p)). But by the property of the 
translation t-s applied to (p, we have twr{L{i^)) = L(ip), and hence we can con- 
clude that L{(p) = L{9). This completes the proof of Theorem |31 □ 



We point out here that the past temporal operators of ( "previous" ) and 
S ("since") can be dropped from our logic without affecting the expressiveness 
of the logic. This follows since it is shown in 8 that Theorem 0| holds for the 
future fragment of LTL. The reason we retain the past operators is because they 
are needed when we consider a recursive version of the logic in Section |7| 

5 Recursive input determined automata 

We now consider "recursive" input determined operators. The main motivation 
is to increase the expressive power of our automata, as well as to characterise the 
expressiveness of recursive temporal logics which occur naturally in the real-time 
setting. 

To introduce recursion in our operators, we need to consider parameterised 
(or recursive) input determined operators. These operators, which we continue to 
denote by A, have a semantic function [[Z\] : (2^ x TS'^ x N) 2^«, whose first 
argument is a subset of positions X. Thus A with the parameter X determines 
an input determined operator of the type introduced earlier, whose semantic 
function is given by the map (cr, «) ^ [Z\]](X, cr, i). The set of positions X will 
typically be specified by a temporal logic formula or a "floating" automaton, in 
the sense that given a timed word a, the formula (resp. automaton) will identify 
a set of positions in a where the formula is satisfied (resp. automaton accepts). 
These ideas will soon be made more precise. 

We first recall the idea of a "floating" automaton introduced in [^. These 
are automata which accept pairs of the form (cr, i) with a a timed word, and i a 
position (i.e. i G N). We will represent a "floating" word (<t, i) as a timed word 
over X {0, 1}. Thus a timed word v over Ux{0,l} represents the floating word 
(it, j), iS u = (a, /3, r), with (3 € {0, l}"^ with a single 1 in the i-th position, and 
a = (a,T). We use fw to denote the (partial) map which given a timed word u 
over S X {0, 1} returns the floating word (u, i) corresponding to i/, and extend 
it to apply to timed languages over S x {0, 1} in the natural way. 

Let Op be a set of input determined operators w.r.t. S. Then a floating IDA 
over {U, Op) is an IDA over {U x {0, 1}, Op'), where the set of operators Op' 
w.r.t. S X {0, 1} is defined to be {A' \ A e Op}, with the semantics 

lA'l{a',t)^lAl{a,t), 

where a' is a timed word over S x {0, 1}, with a' — {a,(3,T) and a — (a, r). 
Thus the operator A' simply ignores the {0, 1} component of cr' and behaves like 
A on the S component. A floating IDA B accepts the floating timed language 
Lf{B)^fw{LiB)). 

We now give a more precise definition of recursive input determined au- 
tomata, denoted rec-IDA, and their floating counterparts frec-IDA. Let Rop be 
a finite set of recursive input determined operators. Then the class of rec-IDA's 
over {E, Rop), and the timed languages they accept, are defined as follows. 

— Every IDA A over S that uses only the guard T is a rec-IDA over {U, Rop), 
and accepts the timed language L{A). 



Similarly, every floating IDA B over S which uses only the guard T is a 
frec-IDA over {S, Rop), and accepts the floating language {B). 
— Let C be a finite collection of frec-IDA's over {E,Rop). Let Op be the set 
of input determined operators {Z\e | Z\ G Rop, B € C}, where the seman- 
tic function of each Z\g is given as follows. Let pos{a,B) denote the set of 
positions i such that (ct, i) G Lf{B). Then |Z\e](a-, i) = lA1{pos{a,B),a,i). 
Then any IDA A over (S, Op) is a rec-IDA over {U, Rop), and accepts the 
timed language L{A) (defined in Section 

Similarly every floating IDA B over {2J, Op) is a frec-IDA over {S, Rop), and 
accepts the floating language [B). 

Recursive automata fall into a natural "level" based on the level of nesting 
of operators they use. A rec-IDA is of level if the only guard it uses is T. 
Similarly a frec-IDA is of level 0, if the only guard it uses is T. A rec-IDA is of 
level (i-l-l) if it uses an operator As, with A G Rop and B a frec-IDA of level 
i, and no operator A'q with A' G Rop and C of level greater than i. A similar 
definition of level applies to frec-IDA's. 

As an example consider the level 1 rec-IDA A over the alphabet {a, h] below. 
The floating automaton B accepts a floating word [a, i) iff the position i is 
labelled b and the previous and next positions are labelled a. The recursive 
input determined operator O is defined formally in Sec. |H1 The rec-IDA A thus 
recognises the set of timed words a over {a,b} which begin with an a and have 
an occurrence of & - with a's on its left and right ~ exactly 1 time unit later. 



Theorem 5. The class of rec-IDA 's over (S, Rop) is closed under boolean op- 
erations. In fact, for each i, the class of level i rec-IDA 's is closed under boolean 
operations. 

Proof. Let A and A' be two rec-IDA's of level i. Let Op be the union of operators 
used in A and A'. Then both A and A' are IDA's over {S, Op), and hence by 
Theorem 2] there exists an IDA B over {S, Op) which accepts L{A) U L{A'). 
Similarly there exists an IDA C over {E, Op), which accepts the language TX'" — 
L{A). Notice that B and C use the same set of operators Op, and hence are also 
level i automata. □ 

We note that IDA's over {S, Op) are a special case of level 1 rec-IDA's over 
{S, Rop), where the set of recursive operators Rop is taken to be {A' \ A G Op} 
with lA'j{X,a,i) = lAj{a,i). Thus each guard / G Zi in an IDA over {E, Op) 
can be replaced by the guard / G for any "dummy" level frec-IDA B. 

6 MSO characterisation of rec-IDA's 

We now introduce a recursive version of TMSO which will characterise the class 
of timed languages defined by rec-IDA's. The logic is parameterised by an al- 



A: 




phabet S and set of recursive input determined operators Rop, and denoted 
rec-TMSO(Z', Rop). The syntax of the logic is given by 

■■— Qa{x) I / G '^^{x) \ x^X\x<y \ -^Lp I (93 V (p) I 3xLp I 3Xip. 

In the predicate / G A^{x), we have / G 2q, Z\ G Rop, and a rec-TMS0(i7, Rop) 
formula with a single free variable z. 

The logic is interpreted over timed words in TS^ . Its semantics is similar 
to TMSO except for the predicate "/ G Z\^(a:)" which is defined inductively 
as follows. If t/i is a formula which uses no A predicates, then the satisfaction 
relation a,l\= ip \s defined as for TMSO. Inductively, assuming the semantics of 
^1) has already been defined, is interpreted as an input determined operator 
as follows. Let pos{a, ip) denote the set of interpretations for z that make V' true 
in the timed word a - i.e. pos{a,ip) = {i \ a, [i/z] \= 4'}- Then 

lA^lia,i) = [Z\l(pos(a,^),a,i). 

Thus we have 

a,l\^ I e A^,{x) iff /G lAlipos{a,iP),a,l{x)). 

Note that the variable z, which is free in ^, is not free in the formula / G 
Afi,{x). A sentence cp in rec-TMSO (Z", i?op) defines the language L(ip) — {o' \= 
if}, and a rec-TMSO(Z', Rop) formula tp with one free variable z defines a floating 
language {ip) = {cr, « | cr, [i/z] |= ■0}. 

We note that each rec-TMSO(^, Rop) formula if can be viewed as a TMSO(Z', Op) 
formula, for a suitably defined set of input determined operators Op. We say an 
operator A^ has a top-level occurrence in Lp if there is an occurrence of A^ in 
ip which is not in the scope of any A' operator. We can now take Op to be the 
set of all top-level operators A.^ in p. 

Analogous to the notion of level for rec-IDA's we can define the level of an 
rec-TMSO formula ip. The level of f is 0, if ip uses no A predicates, ip has level 
i + 1 if it uses a predicate of the form / G A^ [x) with ■0 a level i formula, and 
no predicate of the form / G A'^{x) with cf) of level greater than i. 

As an example the level 1 sentence p) below defines the same timed language 
as the level 1 rec-IDA A defined in Section|21 We can take pi to be \lx{zero{x) =J> 
{Qa{x) A ([1, 1] G where ip is the level formula Qb{z) A Qa(z - 1) A 

Qa{z+l). 

Theorem 6. L C TS^ is accepted by a rec-IDA over {E, Rop) iff L is definable 
by a rec-TMSO(Z', i?op) sentence. 

In fact, we will show that for each i, the class of rec-IDA's of level i correspond 
to the sentences of rec-TMSO (U, J2op) of level i. But first it will be useful to 
state a characterisation of floating languages along the lines of Theorem 13 

Theorem 7. Let L be a a floating language over U. Then L = (B) for some 
floating IDA over {S, Op) iff L = {ip), for some TMSO(Z', Op) formula ip 
with one free variable. 



Proof. Let B he a, floating IDA over {S, Op). Keeping in mind that B runs over 
the alphabet S x {0, 1}, we define a formula ip with one free variable z as follows. 
tjj is the formula tp given in the proof of Theorem |21 except for the clause (*) 
which we replace by 

AVa;((a; = z)^ Y {x e Xi A {x + l)eXj AQaix)Ag') 

((»,1).3) 

9i — » qj 

A{x^z)^ y {x e Xi A (x + l) e Xj AQa{x) Ag')). 

((»,0),g) 

"3i — » gj 

The formula -0 satisfies {a, i) G {B) iff ct, [i/z] |= V- 

In the converse direction, let (p(m,n) denote a TMS0(I7, Op) formula with 
free variables xi,. .. ,XrmXi . . . Xn. An interpretation I for these variables is 
encoded (along with a) as a timed word over E x {0,1}™"'"". We extend the 
definition of a floating IDA to an IDA which works over such an alphabet, where, 
in particular, the A operators apply only to the S component of the timed word. 
Then we can inductively associate with (p{m, n) a floating IDA B over E x {0, 1} 
such that L^{B) = L^{ip). In the inductive step for 3Xn{ip{m,n)) we make use 
of the fact that the class of languages accepted by floating IDA's over {S, Op) 
are closed under the restricted renaming operation required in this case. The 
reader is referred to [S] for a similar argument. □ 

Returning now to the proof of Theorem we use induction on the level of 
automata and formulas to argue that 

LLC TE'^ is accepted by a level i rec-IDA over {E, Rop) iff L is definable by 

a level i rec-TMSO(Z', Rop) sentence (p. And 
2. A floating language L over E is accepted by a level i frec-IDA over {E, Rop) 

iff L is definable by a level i rec-TMSO(Z', Rop) formula V' with one free 

variable. 

For the base case we consider level automata and sentences. Since level 
automata only make use of the guard T, they are simply Biichi automata over 
E. Similarly, level sentences don't use any A predicates and hence they are 
simply MSO(Z') sentences. By Biichi's theorem, we have that level automata 
and sentences are expressively equivalent. 

For the base case for the second part of the claim, given a level floating 
automaton B we can apply the construction in the proof of Theorem |7| to get a 
TMSO(Z') formula ip with one free variable. Since the construction preserves the 
guards used, ip has no A operators, and hence is a level rec-TMSO {E, Rop) 
formula. Conversely, for a level formula "0 we can apply the construction of 
Theorem [3 to obtain a floating automaton B such that L^{B) = L^{tp). The 
construction preserves the A operators used, and hence S is a level automaton. 

Turning now to the induction step, let A he a, level i + 1 automaton over 
{E,Rop). Let Op be the set of top-level A operators in A. Now since A is an 



IDA over {U, Op), by Theorem [3 we have a TMS0(i7, Op) sentence cp such 
that L{A) = L{(p). Now for each Z\g in Op, B is of level i or lower, and by our 
induction hypothesis there is a corresponding rec-TMSO(Z', Rop) formula ip with 
one free variable, of the same level as B, with {B) — (ip). Hence for each As 
we have a semantically equivalent operator A^. This is because L^{B) = Lf{ip), 
which implies pos{a,B) = pos{u,ij)), which in turn implies = [^4^]. We 

can now simply replace each occurrence of A^ in Lp to get an equivalent sentence 
(p' which is in rec-TMSO(Z', Rop). Further, by construction it follows that ip' is 
also of level i + 1. 

Conversely, let 93 be a level i + 1 sentence in rec-TMSO(Z', Rop). Let Op be 
the set of top level A operators in (p. Then 1^9 is a TMSO(Z', Op) sentence, and 
hence by Theorem|21we have an equivalent input determined automaton A over 
{S, Op). Once again, for each A^ in Op, the formula "0 is of level i or lower, and 
hence by induction hypothesis we have a free- IDA B over [S, Rop), of the same 
level as ip, and accepting the same floating language. The operators A^ and 
Ajs are now equivalent, and we can replace each A^ in A by the corresponding 
As to get a language equivalent input determined automaton. This automaton 
is now the required level i + 1 rec-IDA over {E, Rop) which accepts the same 
language as L{p). 

The induction step for part [21 is proved similarly, making use of Theorem 
and the induction hypothesis. This completes the proof of Theorem □ 

7 Expressive completeness of rec-TLTL 

We now define a recursive timed temporal logic along the lines of ||9| . The logic 
is similar to the logic TLTL defined in Sec. 2| It is parameterised by an al- 
phabet S and a set of recursive input determined operators Rop, and denoted 
rec-TLTL(S, Rop). The syntax of the logic is given by 

9::= a\IeAe \ 06 \ GO \ {9Ue) \ {639) \ ^6* | (6* V d), 

where a & U, and A e Rop. 

The logic is interpreted over timed words in a similar manner to TLTL. The 
predicate I E Ag is interpreted as follows. If 6 does not use a A predicate, then 
the satisfaction relation a,i \= 9 is defined as for TLTL. Inductively assuming 
the semantics of a rec-TLTL(S, Rop) formula 9 has been defined, and setting 
pos{(j,6) = {i G N I cr, « 1= 6}, the operator Ag is interpreted as an input 
determined operator with the semantic function 

lAgj{a,t)^lAj{pos{<j,9),a,i). 

The satisfaction relation a,i \^ I G Ae is then defined as in TLTL. 

Once again, since Ag behaves like an input determined operator, each rec-TLTL(S, Rop) 
formula is also a TLTL(I7, Op) formula, for an appropriately chosen set of input 
determined operators Op, containing operators of the form Ag. A rec-TLTL(E, Rop) 
formula 9 naturally defines both a timed language L{d) — {a € TS'^ | cr, |= f?} 
and a floating language {9) = {{a,i) \ a,i \= 9}. 



As an example, the formula a A ([1, 1] G Og) where 9 ^ b A 0a A 0a, restates 
the property expressed by the rec-TMSO formula in Sec. IHI 

Let us denote by rec-TFO(Z', Rop) the first-order fragment of the logic rec-TMSO(Z', Rop). 
Then we have the following expressive completeness result: 

Theorem 8. rec -TLTL ( E, i?op) is expressively equivalent to rec -TFO(Z', i?op). 

Proof. As before we show that formulas in the logics are equivalent level-wise 
(the level of a rec-TLTL formula being defined analogous to rec-TMSO). We 
show by induction on i that 

1. A timed language L C TZ"^ is definable by a level i rec-TLTL(S], i?op) 
formula iff it is definable by a level i rec-TFO(Z', Rop) sentence. 

2. A floating timed language over E is definable by a level i rec-TLTL(I], Rop) 
formula iff it is definable by a level i rec-TFO(Z', Rop) formula with one free 
variable. 

The base case for part ^ follows from Theorem 0] since level formulas are 
simply untimed LTL(Z') and FO(Z') formulas. For the base case for part|21 a level 
rec-TLTL(E, Rop) formula 9 can be translated to a level rec-TFO(Z', Rop) 
formula ij) with one free variable z using the translation given in the proof of 
Theorem |31 The formula ij) satisfies tr, [i/z] |= V' iff cT;^ H ^- The converse 
direction follows immediately from the following version of Kamp's result: 

Theorem 9 (|1U|). For any FO(yl) formula ip with one free variable z, there 
is a LTL(^) formula 9 s.t. for each a G A'^ and i G N, a, [i/z] \= ip iff a,i \^ 9. 

Turning now to the induction step, let be a level i + 1 rec-TLTL(E, Rop) 
formula. Let Op be the set of top-level A operators used in 9. Then 6* is a 
TLTL(Z', Op) formula, and hence by TheoremOwe have an equivalent TF0(I7, Op) 
sentence ip (i.e. with L{9) = L{(p)). Now each operator in Op is of the form 
where is a level i or less rec-TLTL(S, Rop) formula, and hence by the induc- 
tion hypothesis we have an equivalent rec-TFO(Z', Rop) formula "0 with one free 
variable, such that [rf) — Lf{ip). It now follows that the input determined op- 
erators and are semantically equivalent, and hence we can replace each 
Ari by A^ in ip to get an equivalent rec-TFO(Z', Rop) sentence ip' . By construc- 
tion, the sentence p' is also of level i + 1. The converse direction is argued in a 
very similar manner, once again factoring through Theorem |3| 

For part 13 a level i + 1 rec-TLTL(E, Rop) formula 6* is a TLTL(Z', Op) 
formula, for the set of operators Op defined above. Now using the translation 
given in the proof of Theorem |3| we obtain a TFO{S, Op) formula ip with a 
one free variable, satisfying L^{9) = {ip). Again, by the induction hypothesis, 
we can replace each in Op with an equivalent A^, to get an equivalent 
rec-TFO(Z', Rop) with the required properties. 

In the converse direction, let iphe a. level i-\-l rec-TFO(Z', Rop) formula with 
one free variable z. Let Op be set of top-level A operators in ip. Then ip is also a 
formula in TFO(Z', Op). Let F be the proper symbolic alphabet induced by ip. 
Then we can use the translation t-s (cf. SecOj) on ip (w.r.t. F) to get a formula 



tp in FO{r) with one free variable z which preserves timed models. By Kamp's 
theorem above, we have an equivalent LTL(P) formula 6 which preserves the 
floating language accepted. Finally we can apply the translation s-t on 9 to get 
a TLTL(Z', Op) formula 9 which preserves timed models (cf. Sec.0J). The formula 
9 satisfies the property that L-f{9) = L-f{tp). 

Now using the induction hypothesis each operator in 9 can be replaced by 
an equivalent A^i operator, with rj a TLTL(i7, Op) formula, to get an equivalent 
level i + 1 rec-TLTL(E, Rop) formula 9'. This ends the proof of Theorem|Hl □ 

8 Expressive completeness of MITL 

As an application of the results in this paper we show that the logic MITL 
introduced in |2j is expressively equivalent to rec-TFO for a suitably defined set 
of recursive input determined operators. We point out here that this result is 
shown for the pointwise semantics of MITL given below. We begin with the logic 
MTL{S) which has the following syntax 



Here / is an interval in Zq. When / is restricted to be non-singular (i.e. not of the 
form [r,r]) then we get the logic MITL(Z'). The logic is interpreted over timed 
words in TE'^ similarly to TLTL. The modalities Uj and Sj are interpreted as 
follows, for a timed word a — {a, t). 

(7,i \^ OUiTj iff 3A; > z : cr, fc |= ry, T(fc) — r(i) G /, and Vj : i < j < k, a, j \^ 9 
(T,i \^ 9Siri iS 3k < i : cr, fc |= ri,T{i) — T{k) G /, and Vj : k < j < i, cr, j 1= 9. 

We first observe that MTL(Z') is expressively equivalent to its sublogic 
MTL^(i7) in which the modalities Uj and Sj are replaced by the modalities 
S, O/ and 0/, where U and S are as usual and Oi9 — TUi9 and <$>/0 = TSi9. 
This is because the formula 9Uir] (and dually 9Sirf) can be translated as follows. 
Here ')' denotes either a ']' or ')' interval bracket. 



Next we consider the logic rec-TLTL(I], {O, <S>}) where the semantics of the 
recursive input determined operators O and O are given below (as usual a G 
TS'^ with cr = (a,r)). 



The logic MTL*(Z') is clearly expressively equivalent to rec-TLTL(i;, {O, <S>}) 
since the predicates <>i9 and I € Og are equivalent. Using Theorem |S1 we can 
now conclude that 



9 



a I 09 I 09 I {9Ui9) \ {9Si9) \^9\{9y 9). 




lO\{X,a,i) ={IelQ I 3j eX : j> i, and r, - r, G /} 
[^K^, *) = e I 3j G X : j< i, and n - G /}. 



Theorem 10. MTL(Z') is expressively equivalent to rec-TFO(Z', {O, <$> }). 

Let rec-TFO^ denote the restriction of rec-TFO to non-singular intervals. 
Then since the translation of MTL to MTL* does not introduce any singular 
intervals, and the constructions in Theoreni|Slpreserve the interval vocabulary of 
the formulas, we conclude that the logics MITL(i:) and rec-TFO,^ (Z", {O, ❖ }) 
are expressively equivalent. 
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